Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsNew Federal Privacy Bill: Commercial Facial Recognition Privacy Act
The Commercial Facial Recognition Privacy Act was introduced into the US Senate last week to prohibit non-government entities from the use of facial recognition to identify or track an end user without affirmative consent. It is sponsored by Senators Brian Schatz (D-HI) and Roy Blunt (R-MO).
The adoption of the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) has spurred the debate in the federal government over a comprehensive new federal privacy law. However, the Commercial Facial Recognition Privacy Act takes a different and more limited approach. It skips the seemingly controversial task of crafting the specifics of a broad privacy law for a targeted one that addresses a specific technology and its implications on privacy. This is more in line with the federal approach in the past on privacy targeting specific sectors, which resulted in laws such as the Health Insurance Portability and Accountability Act (HIPAA) or Gramm-Leach-Bliley Act (GLBA).
The Commercial Facial Recognition Privacy Act approaches facial recognition through the framework of requiring opt-in consent and could be an area of controversy in the bill. The opt-in and opt-out consent debate has been evident in Congress recently as Senator Dianne Feinstein (D-CA), Ranking Member of the Senate Judiciary Committee, expressed her support last week for an affirmative opt-in consent requirement as the standard in the Senate Judiciary Committee hearing on the CCPA and GDPR. The proposed Digital Accountability and Transparency to Advance Privacy Act (DATA Privacy Act), introduced by Senator Catherine Cortez Masto (D-Nevada) took a slightly more limited approach and required opt-in consent for all processing outside the context of the business-customer relationship. However, many of the experts testifying in the Senate Judiciary Committee hearing expressed their support generally for opt-out consent, which is the method favored by the CCPA. The Washington Privacy Act, which passed the Washington state Senate by a vote of 46-1 recently and contains measures regulating facial recognition technology, would if passed not also require express affirmative opt-in consent for facial recognition.
The preemption issue which has been discussed in the context of a comprehensive bill could be another sticking point even for a more limited privacy bill like this one. In order to gain business support for such a law, business supporters could ask for the preemption of the Illinois law. The use of facial recognition is currently regulated in a few states by privacy laws such as the Illinois Biometric Information Privacy Act (BIPA). BIPA was the first law in the country to regulate the collection and storage of biometric information. It require businesses to gather consent and notify individuals of their use of biometric information including facial recognition. The law has been in the news over the past few months as businesses challenged (unsuccessfully so far) whether there was an actual harm requirement in its private cause of action. The Illinois Supreme Court recently concluded that there was not.
What does the Commercial Facial Recognition Privacy Act require?
The bill imposes a few different restrictions on facial recognition technology:
– Prohibits use of facial recognition technology to collect facial recognition data without affirmative consent and, if the technology is present, concise notice and documentation of its capabilities to the user;
– Prohibits use of it to discriminate against an end user in violation of federal or state law.
– Prohibits repurpose of the data for a purpose not identified to the end user during affirmative consent.
– Sharing with an unaffiliated third party without affirmative consent.
Affirmative consent is defined as an individual, voluntary and explicit agreement with the controller on the collection and data use policies. The consent requires a notice from the controller of the specific practices of the processor regarding the collection, storage and use of facial recognition data, including:
– the reasonably foreseeable purposes for collection and sharing by the processor.
– data retention and deidentification practices of the processor.
– process to review, correct or delete information, if offered by the controller.
Other Requirements:
Prohibits Conditioning the Service on Consent if Unnecessary: If facial recognition is not necessary for a service, require consent to waive privacy rights for the service, or terminate/refuse to service end user that does not provide affirmative consent.
Human Review Requirement: Any final decision based on facial recognition technology must employ meaningful human review if the decision may be unexpected, highly offensive, or may result in reasonably foreseeable material physical or financial harm.
Independent API Testing: An online API that makes facial recognition available must enable at least 1 third party to engage in legitimate independent tests for accuracy and bias.
Rulemaking
The proposed law authorizes the FTC to issue regulations, taking into account the size of the processor, the complexity of the offering and the nature and scope of their activities, on:
– minimum data security, minimization and retention standards for processors.
– define what requires human review under the harmful and highly offensive standards.
– expand the list of exemptions where affirmative consent and notice are required
Enforcement
The law would take effect within 180 days after it is enacted. A violation of the law would be considered an unfair or deceptive act or practice enforced by the Federal Trade Commission in accordance with the FTC Act. A State attorney general, or other state official authorized to bring such actions, may also bring a civil action to protect the interest of the residents of its state provided they give the specified notice to the FTC.
Other Facial Recognition Laws
The federal law is not the only one under consideration in the United States, as there have been a few different bills proposed in the states. Florida is considering replicating the Illinois Biometric Information Privacy Act (BIPA). Also, if adopted, the Washington Privacy Act (SB 5376) in Washington state would require covered businesses to provide a conspicuous notice of the use of facial recognition, require meaningful human review of profiling decisions with significant effects, and require processors of facial recognition to prohibit illegal discrimination. The Commercial Facial Recognition Privacy Act would go farther, however, in requiring express affirmative consent before processing.
Other Relevant Posts:
Proposed Senate Privacy Bill of Rights Act Includes Private Right of Action
New Senate Privacy Bill: Own Your Own Data Act Summarized
Summary of Latest Senate Bill to Amend COPPA
New Senate Privacy Bill: Digital Accountability and Transparency to Advance (DATA) Privacy Act
Privacy Law News: Senate Banking & Commerce Committees, GAO, California Data Dividend
More Resources:
Ready for the new California privacy law coming on January 1, 2020? Learn more about CCPA compliance and contact us to see a demo of the Clarip privacy management platform used by Fortune 500 clients.
